Salt-Labs researchers uncover security issues that may have allowed attackers to leverage a vulnerability commonly believed to be obsolete.
PALO ALTO, Calif. – July 29, 2024 – Salt Security, the leading API security company, today released new threat research from Salt-Labs, highlighting critical security flaws within popular web analytics provider Hotjar and a renowned global news outlet - highlighting elevated risk for enterprises. Hotjar is a leading solution for product teams who want to go beyond traditional web and product analytics so they can empathize with and understand their users—to connect the dots between what's happening and why it happens, so they can improve the user experience (UX) and create customer delight. The company serves over one million websites, including global brands. These vulnerabilities could have potentially allowed an attacker unlimited access to sensitive data sets within these services, affecting millions of users and organizations worldwide.
These findings are not exclusive to these services but highlight a bigger issue that likely exists within similar ecosystems.
Cross-site scripting (commonly known as XSS) is a security issue that has existed since the early days of the World Wide Web. It has since been analyzed and mitigated in many layers using countless techniques, ultimately reducing its overall security risk to a minimal level. However, the emergence of new technologies can cause a major ecosystem change, which introduces new opportunities for attackers to leverage historical flaws such as XSS and escalate security risk significantly.
Recent Salt-Labs research demonstrates exactly this point, notably when combining XSS and recently popularized technology known as OAuth. OAuth has become the de facto authorization/authentication protocol of the past decade. Even if organizations use it unknowingly, OAuth is utilized by thousands of web services, as it plays a key role in any service that provides ‘Social-Login’ functions, among many others.
By combining OAuth features with the old XSS vulnerability, Salt-Labs researchers have successfully proven the ability to take over any account in Hotjar and the major news source’s online services.
To exploit this vulnerability, an attacker can simply send the victim a valid link to the service they want to attack. This link can be sent via any possible channel (email, text message, social media, or posted in an online forum, etc). As the link is completely legitimate, the victim will have practically no way to determine if it is part of a larger attack without a deep technical analysis. Once a victim clicks on the link, the attacker can gain full control of the account, allowing them to perform any actions on the account and gain access to any data stored in the account.
While Salt-Labs’ research focused on two “example” targets - Hotjar and the major news source, this issue is not constrained to them. Due to the popularity of OAuth and the widespread existence of XSS issues, this issue likely exists in numerous other web services, showcasing the risks that accompany bundled API usage.
We recommend that security teams read through the technical details and detailed explanations listed in our blog post to better understand the potential exposure of their online services. We also recommend that users exercise caution when clicking on unknown links, even those sent from trusted sources.
The Salt-Labs team has also released a unique tool that will help companies assess their own risks of similar vulnerabilities with the goal to reduce their risk profile. Until now, this tool was used internally by Salt-Labs to identify risks and vulnerabilities. If you are a domain/website owner and interested in assessing your risk, please click here to complete your free scan.
Our ongoing research demonstrates additional pillars to the risks tangled in API usage, specifically with the use of popular OAuth tools. At the beginning of 2024, we highlighted these risks when we revealed critical OAuth vulnerabilities in the popular AI Tool, ChatGPT.